chore: root commit of OWSAP security testing/tightening

scripts/restore.sh

@@ -13,6 +13,26 @@ if [[ -z "${BACKUP_FILE:-}" ]]; then
   echo "BACKUP_FILE is required."
   exit 1
 fi
+if [[ ! -f "$BACKUP_FILE" ]]; then
+  echo "BACKUP_FILE does not exist: $BACKUP_FILE"
+  exit 1
+fi
+
+CHECKSUM_FILE="${BACKUP_FILE}.sha256"
+if [[ ! -f "$CHECKSUM_FILE" ]]; then
+  echo "Missing checksum file: ${CHECKSUM_FILE}"
+  exit 1
+fi
+EXPECTED_HASH="$(awk '{print $1; exit}' "$CHECKSUM_FILE")"
+if [[ ! "$EXPECTED_HASH" =~ ^[A-Fa-f0-9]{64}$ ]]; then
+  echo "Invalid checksum format in: ${CHECKSUM_FILE}"
+  exit 1
+fi
+ACTUAL_HASH="$(sha256sum "$BACKUP_FILE" | awk '{print $1}')"
+if [[ "$ACTUAL_HASH" != "$EXPECTED_HASH" ]]; then
+  echo "Backup checksum verification failed for: ${BACKUP_FILE}"
+  exit 1
+fi
 
 if [[ -z "${DATABASE_URL:-}" ]]; then
   echo "DATABASE_URL is required."
@@ -23,6 +43,11 @@ RESTORE_DB="${RESTORE_DB:-skymoney_restore_test}"
 RESTORE_URL="${RESTORE_DATABASE_URL:-}"
 ADMIN_URL="${ADMIN_DATABASE_URL:-$DATABASE_URL}"
 
+if [[ ! "$RESTORE_DB" =~ ^[A-Za-z0-9_]+$ ]]; then
+  echo "RESTORE_DB must match ^[A-Za-z0-9_]+$"
+  exit 1
+fi
+
 if [[ -z "$RESTORE_URL" ]]; then
   echo "RESTORE_DATABASE_URL is required (example: postgresql://user:pass@host:5432/${RESTORE_DB})."
   exit 1